October 24, 2004
Classy Comments reopened

So after having shut down comments a good while ago (not exactly a 'couple of days' as I originally intended), I have now introduced two anti-spam systems and opened my comment system again. The two systems: Manual auditing and the world's simplest anti-robot turing test.

My first idea was to do comment auditing. All comments would enter the greylist and I would only publish comments after accepting them. I figured that would take care of comment spam mostly. Previously I had only been subject to a few targeted spam attacks, easily identifiable since the spam messages arrive in bulk when they do. I thought I could easily handle the email notification flood of these attacks.
While that is probably true, I was surprised to find that approximately 20 minutes after I reopened the comment system I had receieved the first 5-10 pieces of spam. They didn't make it to the weblog of course, but it was still a notification hit to my email and attention system.
I figured that there was no reason to assume that this was some magic coincidence, but rather that I could expect spam like that for as long as I got notifications.
This led to a new front in the spam defense further from myself. I did what many people suggest you do: Make sure your comment system does not have the standard moveable type signature. Some people change the name of the comment script, but the new name can still be crawled automatically. I introduced instead the world's simplest captcha: A new required field in my comment form where you have to enter a specified numerical value manually.
It works like a charm. My blog pages are still static html. It is not important that the secret manual sauce is random and noncomputable - it just has to be something they haven't already encountered on a 1000 different weblogs. The auditing scheme I also have in place means there is no incentive to actually implement automated circumvention of my scheme. The spam comments won't make it onto the weblog anyway.
Obviously I have the luxury of being able to audit my comments manually, since volume is low. If that weren't the case I would have to go for a full blown non-machinable comment entry system.

Posted by Claus at October 24, 2004 03:18 PM | TrackBack (1)
Comments (post your own)
Help the campaign to stomp out Warnock's Dilemma. Post a comment.
Name:


Email Address:


URL:



Type the characters you see in the picture above.

(note to spammers: Comments are audited as well. Your spam will never make it onto my weblog, no need to automate against this form)

Comments:


Remember info?